Defense in Depth for AI: The MCP Security Architecture You’re Missing
As AI agents become integral to cloud native applications, the Model Context Protocol (MCP) has emerged as a leading standard for enabling these agents to interact with external tools and data sources.
Defense in Depth for AI: The MCP Security Architecture You’re Missing
As AI agents become integral to cloud native applications, the Model Context Protocol (MCP) has emerged as a leading standard for enabling these agents to interact with external tools and data sources. But with this new architectural pattern comes a critical security challenge: MCP-based systems require protection at three distinct layers, not just one.
The traditional approach of securing applications with just an API Gateway is insufficient. To truly protect these systems—and the sensitive data and APIs they access—you need the “Triple Gate Pattern”: coordinated protection at the AI layer, the MCP layer, and the API layer.
Why the Triple Gate Pattern Matters
Consider this scenario: A developer deploys an AI agent to help the finance team with expense reporting. The agent has access to an MCP Server with tools for reading employee data, querying financial systems, and sending approval emails. An attacker, who infiltrated the backend, manipulates the LLM through carefully crafted prompts, convincing it to query salary information for all employees and email the results externally.
With only an API Gateway, you might catch the suspicious email at the last moment—but the damage is done. The Triple Gate Pattern, however, stops this attack at multiple points: blocking the malicious prompt at the AI layer, preventing unauthorized tool access at the MCP layer, and catching the exfiltration attempt at the API layer.
Understanding the Three Attack Surfaces
MCP-based AI agent systems have three distinct pathways, each representing a potential attack surface:
Pathway 1: Client to LLM—Where prompts are sent to the LLM and prompt injection attacks occur.
Pathway 2: Client to MCP Server—Where the LLM requests access to tools and sensitive data through the MCP Server.
Pathway 3: MCP Server to External APIs—Where the MCP Server calls external services, potentially executing unauthorized actions.
Each pathway requires distinct security controls. A breach at any layer can compromise the entire system.
The First Gate: AI Layer Protection
The first layer governs the conversation with the LLM itself, ensuring inputs and outputs meet security requirements.
Key capabilities:
Authentication and authorization before prompts reach the LLM
PII data filtering, especially when using third-party LLM services
Topic control to enforce what the LLM can discuss
Content safety to detect jailbreak attempts and prompt injection
Observability for audit trails and anomaly detection
Without this gate, attackers could manipulate the LLM into leaking training data or revealing your MCP server’s capabilities.
The Second Gate: MCP Layer Protection
The MCP layer is the most overlooked component, yet it’s critical for preventing unauthorized access to your organization’s data and capabilities.
Key capabilities:
Authentication and authorization with fine-grained access controls
Resource policies defining which MCP resources specific clients can access
Tool policies controlling which tools can be invoked and under what conditions
Dynamic rules considering time, location, or data sensitivity
Observability tracking which tools are invoked, by whom, and how frequently
This middle gate enforces least privilege for AI agents. Even if an attacker manipulates the LLM, MCP layer protection prevents unauthorized tool invocation and data access.
The Third Gate: API Layer Protection
The API layer provides protection where MCP Servers interact with your actual APIs and backend services.
Key capabilities:
Intelligent rate limiting that accounts for agent behavior
Content inspection for APIs that send emails or messages
Traditional API security: authentication, authorization, input validation
Flexible enforcement supporting both custom policies and adaptive controls
This final gate catches what other layers miss. An agent with email API access could be manipulated into sending phishing emails—API layer protection can detect and block such attempts.
Don’t Deploy Three Products
Here’s the critical insight: you need three layers of protection, but not three separate gateway products. The operational overhead would be prohibitive and create gaps between layers.
Instead, look for a unified gateway platform that apply all three security layers with a single control plane. The platform must understand and enforce policies appropriate to each pathway.
When evaluating gateway solutions, ask vendors:
Can your platform secure the AI, MCP, and API layers in a unified way?
How do you enforce different policy types without requiring separate products?
Can policies be correlated across all three layers to detect multi-stage attacks?
Does your observability span all pathways to show the complete attack chain?
Deploying the Pattern in Kubernetes
For cloud native practitioners, implementing the Triple Gate Pattern should follow these principles:
Unified Control Plane: Deploy a single gateway platform that applies different policy types based on traffic characteristics using configuration rather than separate products.
Policy as Code: Store gateway policies in version control and deploy using GitOps workflows, ensuring policies are versioned, auditable, and promoted through environments.
Holistic Observability: Ensure your gateway provides correlated visibility across all three layers to trace requests from initial prompt through tool invocation to final API call.
Flexible Deployment: The gateway can run centrally or use sidecars for lower latency, as long as it enforces policies consistently across all pathways.
Practical Recommendations
Organizations deploying MCP-based AI agents should:
Demand vendors support all three layers. Your platform must understand AI prompts, MCP tool invocation, and traditional API calls.
Avoid operational fragmentation. Push vendors to deliver these capabilities in a unified platform.
Start with the AI layer. This provides immediate risk reduction by preventing prompt injection and PII leakage.
Monitor holistically. Demand correlated visibility across all three pathways.
Test all three layers. Red team your AI agents, attempting to bypass protections at each layer.
Conclusion
As AI agents become more autonomous and deeply integrated into business-critical workflows, the Triple Gate Pattern represents the defense-in-depth approach this threat landscape demands.
The cloud native community hardened containers and Kubernetes through layers of defense. We must apply the same rigorous approach to AI agent security. But just as we didn’t deploy separate products for every security concern in Kubernetes, we shouldn’t accept fragmented tooling for AI security.
Demand that vendors deliver the Triple Gate Pattern in a unified, operationally efficient way. Your AI agents—and your organization’s data—depend on it.
KubeCon + CloudNativeCon North America 2025 is taking place in Atlanta, Georgia, from November 10 to 13. Register now.
About Author
